Posts by Tufty Squirrel

Page:

When I worked for "a well known airline"

we installed some "largeish" monitors in order to display the engineers' schedule. Specced at 42", because apparently that's too big to for the thieving pikey engineer bastards to nick. It took 4 people to lift the bastarding things.

Oh, for fuck's sake roll it back.

Re: No sympathy from me...

> I didn't ask ...

Yes you did. You used sites that make your downloads and actions public, you have a public blog, twatter account, and register account using the same handle. You give away your identity on the first two, and then complain that you're easy to find?

Re: A rant, and a question (the question's at the end)

Re: A rant, and a question (the question's at the end)

My guess (based on how most half-sane people would do it) would be that they're salting each user's password with a unique-per-user salt, so when you enter your new password it's merged with "your" salt, hashed, and the hash then compared against your previous password hashes to detect "naughty" password reuse.

This approach would keep 99% of the usefulness of the salt (i.e. you can't generate a rainbow table and mass-reverse everybody's hashes), and any additional weakness this introduces is rather overshadowed by their insane password policy anyway.

Ebay's password policy, in which password space is bounded to 6 <= length <= 20 characters, passwords must contain 2 of [lower-case, upper-case, punctuation-symbols], with no single dictionary words allowed (amongst other things), whilst removing the possibility of passwords like "apple", reduce the search space for brute-forcing algorithms significantly (with the main culprits being the low minimum length requirement and the bounding of password length to 20 characters)

Re: "Encrypted" passwords

>> where as if my unsalted encrypted password has been released then I'm much more angry.

You're wrong, then. Let's assume (and it may be a rather large assumption) that ebay are not complete fucking maroons, and are not only salting your password, but salting your password with a unique-to-you, or better, unique-every-time-you-change-your-password salt. Now, as the bad guys have your salted password hash, they can't do anything with it, right? Wrong. Of course they can. If they've managed to extract your salted, hashed password from ebay's database, we can also assume they bothered to extract the salts at the same time, and they know the salting & hashing algorithm that ebay use. Because they aren't fucking mongs either; indeed, we should assume they are somewhat smarter than you or I. So, if your account particularly takes their interest, they are perfectly capable of building a rainbow table for reversing your password hash to its original plaintext version of "ebay.com". If it's salted uniquely per password, they can't then use the rainbow table to reduce the time taken to do an *en masse* reverse; they effectively need to brute force every password. And even that is less of an issue should they happen to have a botnet at their disposal; all they need to do is distribute hash/salt pairs out, and have their bots do the crunching via brute force rather than rainbow tables. That's how I'd do it, anyway.

We can probably assume that ebay have fallen into the common trap of using lower-complexity hashing algorithms, on the grounds that 500ms is too long to wait to log in, and the combined compute load of their users logging in would be too expensive should they use something "heavweight". Which is fair enough, but it makes brute-forcing feasible, time-wise. And even if they are using something "hard", all the brute forcer needs to do is give up after a certain amount of time, or put harder hashes "back onto the queue" for later attention, focussing on getting the lower hanging fruit first.

Whichever way you look at it, if they want into your account, you're proper fucked whatever happens.

Re: So close...

This.

As for "pissing about with remote computers whilst I'm in the marshes", I can do that just as well, and probably better, with my thinkpad. What the surface brings (and the *only* thing it brings) is the "tablet" side of things, which is utterly useless for the aforementioned remote login stuff (and, of course, is available far more cheaply on a non-surface laptoplet hybrid.

It's a shame really. The ARM version is far too locked down (at the current $199 for a "refurb" - read "written off as part of the $900M loss MS took on them - it would be attractive if you could do anything useful with it), the Intel version far too expensive, and neither of them fill a particular niche.

So far, MS have pissed away nearly a billion and a half on Surface. I don't see this version turning that around.

Re: Delicately put

Up to a certain point, there are gains to be had. If you have a decent amp, source, and speakers, then you /may/ be able to hear the difference between super-cheapo "wet string" bellwire speaker cable as shipped with Dixons-style hifi and a "fatter" speaker cable. You will not, however, be able to tell the difference between £10/m speaker cable, £1000/m monster cable, or 10p/m 1.5mm solid core mains cable - there is none.

Re: I don't get it..

>> I don't know with Open Source either. What I do know is that it's much easier to go find

>> new holes in Open Source given the motivation as you can look at the source code...

Cobblers. Holes are mainly found by fuzzing, not by poring through source code. Exploits rely on code mishandling user-supplied data - fuzzing involves sending enormous quantities of deliberately broken data at something until it does something it's not supposed to. This is far easier than having to work out what some piece of logic is supposed to be doing, what it's actually doing, and why it's broken in this or that edge case. Chuck a load of crap at a victim machine (that you also control), wait for it to go bang, and then work out what you are going to be able to do while the smoke's clearing.

3% of mobile devices? Surely that can't be right?

Re: But do all Macs run OSX?

>> Let's say I have xcode on screen one, photoshop on screen 2. Working in xcode.

>> Now I need to do something in photoshop from a menu. So I have to mouse over to

>> photoshop on screen 2, activate it, mouse back to screen one, select from the

>> menu, mosue back to xcode.

That's not only a fairly contrived example (I doubt many developers have XCode and Photoshop open at the same time for work on the same project), but it's also 100% wrong. I currently have emacs on my laptop's built-in monitor (along with Chrome that I'm typing this into, and a bunch of other crap), and IDA Pro (my old windows copy, running in a VirtualBox VM) on the external monitor. Now, should I need to touch the apple menu bar on the external monitor (rare with VirtualBox, it's got shit-all you'd want to fiddle with anyway, but the principle remains the same), I mouse over to the other screen (well, pen, actually, wacom tablet so no dragging needed), activate the app (one click, the same one you'd have to use under windows or a single-screen mac) and the apple menu bar automagically pops up on the external monitor. I'll grant that for a draggy mouse you'd have extra mileage to get to the other screen, but you'd have that under windows as well.

Horses for courses, really. I use a mac because I like the way it works, it can be made to fit(t) with my workflow. I don't like windows because it can't. A lot of that is probably because it's what I'm used to, that my expectations of how my workflow should flow is at least in part based on the way I'm used to OSX (and MacOS before it) behaving - the same can probably be said regarding your experience and opinion.

Re: MS took that to heart and people still complain.

Re: 6502/6809's rool btw...

EIEIO on the 6502? You jest. It's the PowerPC "Enforce Instruction Execution In Order" opcode. It *might* go back as far as IBM's 801 processor, or more likely the original POWER ISA, but no further. The first time you're liable to have come across this unless you were doing low level AIX development on IBM hardware is when the first PowerPC Macs came out in 1994. About ten years after the 6502 was commonplace.

Re: MAC users aren't that dumb.... ...?

Re: Less annoying than mangled text?

>> if it's not intrusive

That's the thing, though, isn't it? Advertising *is* obtrusive. TV ads are mastered to run at a higher volume than the programs they intersperse. Web banner ads are placed and designed such as to demand your attention. And so on.

The response is instamuting the telly every time the ads come on, adblock pro, noscript and other browser addons. Ads are largely speaking offensive (not in a NSFW sense) and intrusive, it's how they are designed, and people try their hardest to avoid them.

So what's this? An adman's wet dream. Ads that not only you can't skip, but that demand 100% of your attention whilst you're not skipping them.

Re: Did you take the GS to a garage?

Ah, Citroen handbrakes. Gotta love 'em. Especially when you've got a flat rear tyre on your BX (yeah, I had the super-cheapo model, if you think the GS suspension was bad you need to try a clapped out BX), and you're parked on an icy car park. Hint - the only way to stop the wheel spinning on the ice is to block it - OK if it's the left hand rear, as you can use a blanket laid under the front and rear wheels, but the right hand rear is basically impossible.

Re: *epic facepalm*

Exactly.

We (the western world, and probably much of the rest) have a huge problem with illegal drugs. We don't even know the full scale of it, because, as an illegal situation, it's almost entirely underground. The only bits we see are the health and criminality repercussions, which are a secondary problem, not the primary one.

How would legalising help?

The supply chain would no longer be in the hands of criminals. Primary suppliers (the cocaine farmers in South America, for example) would be paid a fair price, improving their way of life. A significant load would be taken off the hands of customs and excise. Drug mules would no longer be risking their lives.

Quality control would no longer be in the hands of criminals. Rather than having drugs cut with whatever shit comes to hand, users would be guaranteed pharmacological grade drugs. Result - less overdoses, less secondary health effects, a huge weight taken off the health service.

Distribution would no longer be in the hands of criminals. Result - tax income, and a concrete idea of how big the problem is. An ability to contact and help those who are dependent, without having to "overlook" the criminal aspect of what they are doing.

FWIW, my grandfather came home from the first world war with half a leg less than he went with, and a lifelong diamorphine addiction that he didn't have when he went. After coming back, he held down a responsible job until retirement, despite twice-daily doses, and finally passed away aged 92. The difference between his addiction and that of the average street junkie was that his heroin came direct from the NHS.

Legalising is the first step to solving the problem. Criminalising is a total abandonment of duty.

So, yeah, this lot might be a bit nutty in some respects, but they're bang on the money as far as drugs go.

Re: Ultimately a worry.

>> Microsoft's domination over integrated HW/SW designs will be of great concern for everyone.

Nah.

Look what happened with XBox.

V1 was pretty much a PC in a funky case, and worked better as a PVR than a games console. It tanked compared to the PS2.

V2, the original 360, was awesome, modulo the odd hardware issue. It kicked the PS3's ass so hard MS thought they had won, and started fscking with the interface, making it an ad delivery platform, etc. Result - PS3 is winning again.

V3, the Xbox "one", is dead in the water compared to the PS4. MS have backtracked and u-turned on their plans so often I doubt even they know what their plans are.

Sony are evil, arguably more evil than MS, but they aren't incompetent. MS have both in spades.

Re: The first PDA

It was (and, to some extent, still is) far more than just a PDA. It was a full computing platform, and while people who haven't used them in earnest (I still have, and use, my MP2100) focus on the handwriting aspect*, there was far more to it than just that.

- No "filesystem", just a big "soup" of data. You don't need to worry about where their data is stored in some arbitrary hierarchy of devices and folders, or what you've called it, all you ned to know is what you're looking for. There's nothing quite like that, even now.

- Extreme integration. This lives on, to some extent, in some of Apple's software (for example, highlighting of (fuzzy) dates in Mail.app enabling you to add items to the calendar, etc, but Newton hooked into everything, even 3rd party apps.

- Write anywhere. The handwriting recognition might not have been perfect, but it fit perfectly with the form factor of the handheld Newtons. Keyboards worked too, of course, and would have been good for a "desktop" NewtonOS device. MS might be failing with their "one UI fits all" paradigm, but newton had it in the '90s.

- Expandability. USB, Wifi, Bluetooth, ATA storage cards, all aftermarket "hacks" for the Newton that work very nicely despite the fact they hadn't even been invented when it was released. Quite astounding when you realise the restrictions of the platform.

- Instant on. Really. Totally instant in most cases. Straight back to where you were when you turned it off. Even if that was weeks, months, or even years ago (in which case you might need to boot from cold, but you lose nothing - try taking the batteries out of your Palm pilot and see where that gets you)

What really killed it (apart from the price and the heckling) was the fact it was so radically different from other platforms. It was hard to make it work properly with the "status quo". Sure, you could sync it and keep your data safe, but that was about it. Interop with desktop apps other than calendars and address books was hard to do (and is even harder now).

Newton is probably the closest thing to the perfect computing platform ever invented (eclipsed, possibly, by the Lisp machines). It's a crying shame the rest of the world hasn't managed to catch up.

* The descendant of the Calligrapher cursive recogniser used by the later Newtons is now, I believe, owned by MS, which is why OSX's "ink" recogniser (OSX 10.2+) only handles printed handwriting.

I know it's Friday and all, but hey.

>> a standalone Nokia under Elop, which has been going great guns for the past year.

Since Elop's infamous "burning platforms" memo, Nokia have gone from being the number one mobile supplier (and projected to stay there), the world's biggest smartphone supplier (and projected to stay there) to an industry joke. In the 2 years from 2010 to 2012, Nokia's business fell back more and more on the featurephone market, with smartphones dwindling from 35% to 14% of their output. They currently have around 2% of the smartphone market. That's "stellar"* performance.

If standalone Nokia under Elop had been going "great guns", they wouldn't have been bought out for pennies on the Pound by Microsoft. The only gun they've been wielding is the footgun, and Elop's been using it with great precision.

It's all a bit irrelevant, really.

Whether or not the black helicopter crew can decrypt information is largely irrelevant. The fact that they can detect that it is encrypted is enough. Once they know that, rubber hose cryptanalysis is enough.

There's 2 use cases.

One is that someone is leaking information that "they" would rather not have out in the wild (Snowden, Manning et al). Once the information is leaked, what they want is to plug the leaks and "deal with" those involved in the leaking. So the whole idea of secrecy is about hiding who you, and your sources, are. Cryptography doesn't help much in that.

The second is that you are transmitting information that you'd rather nobody knows about. It may be that you're cheating on your significant other, it may be that you're planning a terrorist attack. Here you want to keep the information *and* identities secret - at some point the information must be decrypted, so "they" only need to find one end or the other of the chain and, again, apply rubber hose cryptanalysis methods.

Once one or more of the identities are known, all bets are off. Decryption may be possible (if expensive), but rubber hoses are cheap and readily available.

"Don't trust electronic communications" is the only reasonable approach.

Re: Wow, it truly is amazing the mis-steps Microsoft is making.

>> Excel is still the best spread sheet.

No, Excel is the most commonly used spreadsheet. It was left in the dust in terms of features by Improv and Quantrix, and still hasn't reached where they were 20 years ago. Excel is probably the number one example of a market leader stifling innovation to the point of holding the market back.

As for Windows RT, I' sure MS will manage to improve on that $900M writeoff.

Re: Simple solution

>> SD card blah blah apps to SD card

But you still run out of space. Not space to store applications and documents on the SD card itself, but "internal" memory used by applications and Android itself. My several-hundred-euro tablet running Android has >16GB free on its SD card, but won't check my mail because

As it happens, it's *alleged* sexual assault, and he's not yet been actually *charged* with anything. He, of course, denies the allegations, claiming the relationships in question were consensual, and reckons the whole thing is a put-up-job to make him more easily extraditable to the US.

He has, however, offered to meet and co-operate with the Swedish investigators at his current "abode", or to go to Sweden if guarantees are issued vis-a-vis his safety from extradition to the US. The Swedes have refused both options.

Re: Technical mechanics...

>> They get what they deserve, especially since Android tells you that an application has

>> permissions to send SMS under a large heading that says "services that cost you money."

The problem is 3-fold, and categorising those affected as being somehow "deserving" is both condescending and hideously unfair.

1 - Pretty much *every* application demands a raft of permissions. As a user, you have no way of knowing *why* they are demanding those permissions, or what, exactly, the application will do with them.

2 - The user (self included) wants to run the application (it's why he / she has downloaded it in the first place, doesn't necessarily understand what the permissions mean, and is already used to simply clicking through without thought (see 1 above). So they simply click through without thought.

3 - Android doesn't give any option of "install this app, but disallow this subset of the permissions it's asking for". It's either "install the app, and give it what it wants", or "don't install the app". And the user, as previously noted, /wants/ to install the app.

I would imagine that the percentage of apps which fail to be installed at the point they've hit the "wants these permissions" screen of the installer is vanishingly small. Android's "wants these permissions" thing is far to little, and potentially worse than the "do nothing" option.